1 / 21

Recent Major Data Leakage Incidents in Korea: Personal Data, Cyber Threats, and Destructive Attacks

This article highlights recent major data leakage incidents in Korea, including personal data breaches, cyber threats, and destructive attacks. It covers incidents involving financial institutes, online game sites, credit card companies, and internet service operators. It also provides an overview of ISMS/PIMS certification systems in Korea.

stonge
Télécharger la présentation

Recent Major Data Leakage Incidents in Korea: Personal Data, Cyber Threats, and Destructive Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Recent major data leakage incidents inKorea

  2. Cyber threats landscapes in Korea Personal data leakage DDoS APT Destructive attacks Internet operators Resident registration number Internet portals

  3. Recent major PII leakage incidents (1/3) • April 17, 2011, Personal Information leakage incident against the KR’s financial institute. • Personal information leakage of 420,000 customers, including their name, email, and cell phone information, was caused by a hacking. • First unprecedented systematic accessing of customer financial information by hackers in Korea. • July 26, 2011, Major portal’s personal information leakage. • Personal information of its 35 million online users had been hacked. • A leakage of customers’ information took place due to hacking on July 26, 2011 • Personal information of users’ name, phone numbers, email, resident registration numbers and passwords was leaked.

  4. Recent major PII leakage incidents (2/3) • November 26, 2011, Personal information leakage against the online game site. • The personal data of 13.2 million subscribers was leaked from the online game site. • The password and the resident registration number are encrypted • Presumably, originated from a malicious code in China. • January 19, 2014, major credit card data leakage incidents. • Disclosed by the Korea Prosecutors’ Office on January 19, 2014 • Victims: three local credit card companies, the K* Card, the L* Card and the N* Card • Who stole personal data: An employee of the subcontractor, suppliers of credit companies, who had been dispatched to upgrade the fraud detection systems of three credit card companies. • Volume of personal data leaked : 104 million pieces of cardholders’ personal and financial information.

  5. Recent major PII leakage incidents (3/3) • March 6, 2014, Personal data leakage against the Internet serviceoperator’s website. • Personal data of 9.81 million customers leaked between last August 2013 and February 2014 in a hack on its website: the vulnerabilities of the operator’s web site were exploited to steal the personal data of customers. • Three suspects, including a telemarketer, were arrested for allegedly hacking into the company’s website and stealing the personal data of 9.81 million clients of the mobile carrier. • The leaked personal data included names, resident registration numbers, places of employment, and bank account details. • fined with 85 million won ($83,650) by the Korea Communications Commission (KCC) for personal data being leaked.

  6. ISMS/PIMS certification systems

  7. Overview of ISMS/PIMS certification • There are two types of management systems in Korea: ISMS and PIMS. • ISMS certification was put into force in 2001, while PIMS was put into force in 2011. • Legal grounds: • The ISMS and/PIMS are based on Article 47 (Certification of information security management system) in ‘Act on the Promotion of Information and Communication Network Utilization and Information Protection, etc. • Mandatory ISMS certification requirements for sizable enterprises, was enforced since 2013. • Local standards and criteria compatible with ISO/IEC 27001 • The ordinance of MSIP for ISMS certification and KCS for PIMS certification that aim to help organizations improve the safety and reliability of their information networks. • KCS.KO-12.0001, Personal information management system

  8. ISMS Criteria ISMS criteria (set forth in the Ordinance of MSIP and TTA standard) Countermeasures[13 areas,104 controls] Information Security Mgt. Process [Five process, 12 requirements] Security Policy Organization Asset Identification Classification Information Security Policy Education and Training Defining Scope e-commerce Security Review/Monitoring/Audit Cryptographic control Follow-up Personnel Security Outsider Security Physical Security Incident Handling Operational Mgt. System Security Access Control ISMS Life Cycle Risk Management Implementation Business Continuity Management

  9. PIMS Criteria Management process PIMS criteria (set forth in ordinance and KS standard) Defines management process for personal information protection. Policy making Scope setting Risk management Lifecycle of PIMS Technical and organizational Safeguards Maintenance Implementation Defines managerial, technical and physical protection measures for PI. Infiltration incident handling and response procedures Technical protective measures Physicalprotective measures Privacy policy Privacy organization Classification of personal information Education and training Personnel security Collection Use and transfer Internal review and audit Management and disposal PI lifecycle protection Protective measures PI Lifecycle Defines privacy controls meeting legal requirements for each lifecycle stage, from generation to disposal of PI. Criteria (Max. 86)

  10. ISMS/PIMS certification governance • To check if the ISMS/PIMS implemented by the enterprises comply with the criteria set forth in the ordinance. MSIP/KCC/MoI • Upgrade laws and regulations & enforce policies • Support budget for ISMS/PIMS Certification Committee Certification Authority Assessment Authority/Team • Approve the results of assessment • Review the feasibility of the certification cancelled • Consist of about 10 experts from the academia, institutes, law firms, etc • Accept the application • Develop certification criteria and guidelines • Recruit certification assessors • Issue/manage certificates • Operate pools for the certification committee and certification assessors • Offer technical advice • Conduct follow-up assessment • Perform certification assessment • Write report of assessment

  11. Certified organizations • As of April 2016, • 410 organizations have obtained ISMS certification from KISA. • 1(2002), 2(‘03), 1 (‘04), 3(‘05), 0(‘06), 5(‘07), 8(’08), 8(‘09), 8(’10), 5(‘11), 11(‘12), 118(‘13), 174(‘14), 52(‘15), 14(‘16) • 60 organizations have got PIMS certification. • 2(‘11), 7(’12), 11(‘13), 7(‘14), 14(‘15), 19(‘16) • The number of certified organizations for ISMS/PIMS is expected to increase in 2016. http://isms.kisa.or.kr/kor/issue/issue01.jsp?certType=ISMS

  12. Ready for the global PIMS certification scheme

  13. WGs area in ISO/IEC JTC 1/SC 27 WG 3Security Evaluation WG 1 ISMS WG 5 Identity Management & Privacy Technologies Assessment WG 4 Security Controls & Services Guidelines WG 2 Cryptography & Security Mechanisms Techniques Product Process Environment System

  14. Study Period on PIMS (JTC 1/SC 27) • The outcome of the joint WG1/WG5 Study Period on PIMS agreed at its Rome October 2012 SC27 meeting: • not to develop a privacy specific management system, but to use the ISO/IEC 27001 information security management, even in the privacy specific context; • to develop a standard (ISO/IEC 27009) that explains how to create and use specific standards in the ISO/IEC 27001 framework (including privacy, cloud computing, telecom...) for certification purposes; • to develop a standard (ISO/IEC 29151) that provides a set of PII protection controls for the only PII controllers.

  15. ISO/IEC 27009 (from ISO/IEC DIS 27009)

  16. ISO/IEC DIS29151 ITU-T X.gpim | ISO/IEC 29151 • Additional PII-specific implementing guidance • Security policy • Organization of information security • Human resources security • Physical and environmental security • Communications and operations management • Access control • Information systems acquisition, development and maintenance • Reporting security weaknesses • Business continuity management • Compliance ISO/IEC 27002 • Controls for : • Security policy • Organization of information security • Human resources security • Physical and environmental security • Communications and operations management • Access control • Information systems acquisition, development and maintenance • Reporting security weaknesses • Business continuity management • Compliance • Annex A: An extended set of PII-specific controls meeting the ISO/IEC 29100 principles: • Consent and choice • Purpose legitimacy and specification • Collection limitations • Data minimization • Accuracy and quality • Openness, transparency and notice • Individual participation and access • Accountability • Information security • Privacy compliance

  17. Global PIMS certification (proposed) PIMS ISMS ISO/IEC 27001 (Requirements for MS) NWIP (at April 2016 SC27 meeting) (Additional requirements for Privacy specific MS) ISO/IEC 27001 (Requirements for MS) Security risk treatment Security + privacy risks treatment ISO/IEC DIS 29151 (PII protection controls) ISO/IEC 27002 (Security controls) ISO/IEC 27002 (Security controls)

  18. Concluding remark

  19. Concluding remark • Challenges for PII protection • Data leakage incidents are growing. • Increasing need for data transfer across the borders. • Need to provide confidence of level of PII protection of the organizations who wish to receive data transferred across the border. • Comprehensive solution: the PIMS certification. • International standards for the global PIMS certification ready by April 2018. • ISO/IEC 27001:2013, ISO/IEC 27002:2013, ISO/IEC 27009:2016 • ITU-T X.gpim | ISO/IEC DIS 29151 (April, 2016) • NWIP for additional requirement for PIMS (agreed NWIP at April 2016 Tampa SC27 meeting)

  20. Thank you very much. E-mail: hyyoum at sch.ac.kr Contact

More Related